The following example policy workflow uses the mark-for-op and marked-for-op filters and
actions to chain together a set of policies to accomplish a task. In this example it will
find and tag any instances that are in a stopped state. The example specifies a custom tag
called c7n_stopped_instance and the value of the tag will be an op action of terminate for
60 days in the future. The reasoning behind terminating unpatchable instances is after 60
days the instance will be far enough behind on patching and virus defs(if used) that
starting the instance after 60 days would present too large of a security risk.

Note the use of the skew option with the marked-for-op filter in some of the policies to
notify the resource owners X number of days ahead of the scheduled marked-for-op action date.

policies:-name:ec2-mark-stopped-instanceresource:ec2description:|Mark any stopped ec2 instance for deletion in 60 daysIf an instance has not been started for 60 days or overthen they will be deleted similar to internal policies as it wont be patched.filters:-"tag:c7n_stopped_instance":absent-"State.Name":stoppedactions:-type:mark-for-optag:c7n_stopped_instanceop:terminatedays:60-name:ec2-unmark-previously-stoppedresource:ec2description:|Unmark/untag any ec2 instance that was scheduled for deletion due to being stoppedif they are currently running.filters:-"State.Name":running-"tag:c7n_stopped_instance":presentactions:-type:unmarktags:["c7n_stopped_instance"]-name:ec2-notify-before-delete-marked-14-daysresource:ec2description:|Notify on any ec2 instances that will be deleted in 14 days if not startedcomments:|Your EC2 server will be terminated in 14 days if not started and patched by then.Please start your stopped servers and leave them on for 24 hours minimum toallow for patching to occur.filters:-type:marked-for-optag:c7n_stopped_instanceop:terminateskew:14actions:-type:notifytemplate:default.htmlpriority_header:2subject:"EC2StoppedInstanceTerminationScheduled![custodian{{account}}-{{region}}]"violation_desc:"EC2(s)havebeeninastoppedstatefor45daysandat60dayswillbetermianted:"action_desc:|Your EC2 server will be terminated in 14 days if not started and patched by then.Please start your stopped servers and leave them on for 24 hours minimum toallow for patching to occur.to:-CloudCustodian@Company.com-resource-ownertransport:type:sqsqueue:https://sqs.us-east-1.amazonaws.com/12345678900/cloud-custodian-mailerregion:us-east-1-name:ec2-notify-before-delete-marked-7-daysresource:ec2description:|Notify on any ec2 instances that will be deleted in 7 days if not startedfilters:-type:marked-for-optag:c7n_stopped_instanceop:terminateskew:7actions:-type:notifytemplate:default.htmlpriority_header:1subject:"EC2StoppedInstanceTerminationScheduled![custodian{{account}}-{{region}}]"violation_desc:"EC2(s)havebeeninastoppedstatefor53daysandat60dayswillbetermianted:"action_desc:|Your EC2 server will be terminated in 7 days if not started and patched by then.Please start your stopped servers and leave them on for 24 hours minimum toallow for patching to occur.to:-CloudCustodian@Company.com-resource-ownertransport:type:sqsqueue:https://sqs.us-east-1.amazonaws.com/12345678900/cloud-custodian-mailerregion:us-east-1-name:ec2-delete-markedresource:ec2description:|Terminate and notify on any ec2 instances that were scheduledfor deletion if its been stopped for 60 daysand no longer up-to-date on patching.filters:-type:marked-for-optag:c7n_stopped_instanceop:stopactions:-type:terminateforce:true-type:notifytemplate:default.htmlpriority_header:1subject:"EC2StoppedInstanceTerminated[custodian{{account}}-{{region}}]"violation_desc:"EC2(s)hadbeenstoppedfor60daysandhavenowbeenterminated:"action_desc:|Your EC2 server has been terminated as its patching is too far out-of-date andbeyond the 60 day window.to:-CloudCustodian@Company.com-resource-ownertransport:type:sqsqueue:https://sqs.us-east-1.amazonaws.com/12345678900/cloud-custodian-mailerregion:us-east-1